Find Us Online:

You are here:Home»Alert PushDo Trojan Variant Has New Domain Generation Algorithm

Alert PushDo Trojan Variant Has New Domain Generation Algorithm

Folks the point of this article is if you have not already started using the new web component on the managed services (MspManagedNetwork), you may be rebuilding new machines for your clients which will not make them happy Crypto-Locker is not a joke. If you need help you know my email address and phone number, I am here to be of service to my resellers and clients.

July 16th, 2014, 15:43 GMT • By Ionut Ilascu

A fresh version of the PushDo malware component has been detected by security researchers to have changed the encryption keys for the communication across the botnet or with the command and control server.

Malware writers have created several variants of the PushDo Trojan, and researchers at Bitdefender have found a new one that relies on the same communication protocol, but switched to different private and public encryption keys.

Another modification is the fact that the fresh revision of the malware contains an encrypted overlay for the binaries, which would have a validation purpose. “If the conditions specified in the overlay aren’t met, the sample doesn’t run properly,” explain the researchers in a post on Bitdefender’s blog.

It seems that the list of the domain names issued through the built-in domain generation algorithm (DGA) now contains about 100 clean entries. The DGA component is designed to hide the details for the real control and command server, making the botnet more difficult to disrupt.

Bitdefender informs that a new DGA is in place, maintaining the old structure of the algorithm but with a different pattern for the domain names generated. The security company managed to sinkhole one of them, and the result was that 2,336 unique IP addresses connected to the server in less than three hours.

According to Bitdefender, India, Vietnam, and Turkey, US is not to far behind are the countries with the largest number of PushDo infections.

The investigation is under way at the moment and no additional details have been provided by the security researchers.